At the national level we heard from Matt Hamill, the Senior Vice President of Advocacy and Analysis for NACUBO.  He gave an overview of the issues facing the industry at the federal level, which primarily focused on the federal budgeting process including tax reform and proposed changes to student financial aid including Pell grants and student loans.

Governor Paul Patton enlightened the group on the post-secondary education reforms that were passed when he was Governor of Kentucky in 1997.  Looking back, perhaps those reforms provided the basis for some of the success post-secondary educational institutions in Kentucky have experienced in the past several years.  

Over the next two days we were updated on the latest accounting standards issued by FASB and GASB, educated on how to keep college Presidents off the front page of the newspaper, and we heard from internal auditors and learned about fraud.  There were sessions on leadership, debt financing and operations of the institution.

One of the highlights of the conference was the talk given by Tori Murden McClure, M.Div., J.D., M.F.A., the current President of Spalding University and the first woman to row solo across the Atlantic Ocean.  Tori is a very motivating and inspirational woman in both her professional and personal endeavors. If you ever have the opportunity to meet her and listen to her speak, take the time to do so because you will not be disappointed.

In summary it was a conference filled with great information and networking. We are looking forward to applying the new information we learned and plan on participating in the 2013 SACUBO conference in Atlanta.  For more information regarding our colleges and universities team along with the services we provide, please contact Crissy Fiscus, Director of Assurance Services (cfiscus@ddafcpa.com).

Essentially, there are two types of SOC reports.  The first, SOC 1, deals primarily with internal controls as they relate to your financial reporting.  The second type has two report options, SOC 2 and SOC 3.  These reports address controls around other subject matter such as privacy, confidentiality, and security.  The remainder of this e-newsletter will provide an overview of the SOC 2 and SOC 3 reports.

The SOC 2 and SOC 3 reports were designed to provide service organizations the ability to have a CPA provide an outside opinion on controls other than those related to financial reporting.  As business models for using service providers to perform key functions of an operation have become more common, it is even more important to have a tool to evaluate and ensure compliance obligations are met by the service providers. 

SOC 2 and SOC 3 reports cover the same subject matter but provide for different presentation formats.  While a SOC 2 and SOC 3 can cover essentially any subject matter, they will most commonly cover one or a combination of the five Trust Services Principles (TSP):

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

The TSP was developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).  TSP is a set of principles and criteria designed to address the risk and opportunities of IT.

Much like the SOC 1 report, the SOC 2 report has two types: Type 1 and Type 2.  The SOC 2, Type 1 reports contain similar content as the SOC 1, Type 1:

• Description of service organization’s systems (prepared by the service organization)
• Service auditor’s report that contains:
  • Opinion on fairness of the presentation of the description of the system
  • Opinion on the suitability of the design of the controls

The SOC 2, Type 2 report contains the same information as the SOC 2, Type 1; however, it also provides an opinion on the operating effectiveness of the controls, including a description of the testing performed and the results of the tests.  The SOC 2 reports are written with an intended audience of knowledgeable parties who have an understanding of the service being provided.

The SOC 3 report is considered a general use report and is often used for marketing purposes by the service organization.  The SOC 3 report requires the same review and testing of controls as found in an SOC 2, Type 2 report.  Due to the need of a report that can be made available to a larger audience, the report content is less detailed than the SOC 2, Type 2 report.  The SOC 3 report can also be issued in the form of a seal.

For additional information on SOC Reporting, please visit: DDAF SOC Reporting or contact Jason Miller at jmiller@ddaftech.com or 859.425.7626
Part 1 – Service Organization Control Reports – Where is Your Latest SAS 70?

Part 2 – Service Organization Control (SOC) Reports – SSAE 16 – SOC 1 Reports Defined

Essentially there are two types of SOC reports.  The first, SOC 1, deals primarily with internal controls as they relate to your financial reporting.  The second type has two report format options, SOC 2 and SOC 3.  These reports address controls around other subject matter such as privacy, confidentiality, and security.  The remainder of this e-newsletter will provide an overview of the SOC 1 report.  Part 3 of this series will provide more detail on SOC 2 and SOC 3 reports.

Basically, SOC 1 reports replace SAS 70 reports.  It is important to remember that a SOC 1 report is conducted with the intention of evaluating the controls in place at a service organization that could have an impact on financial reporting for a client.  The SOC 1 report is only intended to be used by the management or the auditor of the user entity of a service organization.  A business would typically only request a SOC 1 from a service organization with the intention of providing the report to their outside financial auditors.

There are two types of SOC 1 reports, a Type 1 and Type 2.  The SOC 1, Type 1 reports has the following components:

• Description of service organization’s systems (prepared by the service organization)
• Service auditor’s report that contains:
  • Opinion on fairness of the presentation of the description of the system
  • Opinion on the suitability of the design of the controls

The SOC 1, Type 2 report contains the same information as the Type 1; however, it also provides an opinion on the operating effectiveness of the controls, including a description of the testing performed and the results of the tests.

Stay tuned for part 3:

     Service Organization Control (SOC) Reports – Part 3 (May 9, 2012)
          SSAE 16 – SOC 2 and SOC 3 Reports Defined

For additional information on SOC Reporting, please visit: DDAF SOC Reporting or contact Jason Miller at jmiller@ddaftech.com or 859.425.7626.

Part 1 – Service Organization Control Reports – Where is your latest SAS 70?

To provide some comfort over controls that could impact financial reporting, the American Institute of Certified Public Accountants (AICPA) issued a Statement of Auditing Standards Number 70 (SAS 70), which provided guidance for CPAs on how to perform an engagement to assess the effectiveness of a service organization’s controls, but only the controls related to services that could impact a user entity’s financial reporting.  It is possible that you have been asked to obtain a SAS 70 report.  

The SAS 70 had one very important limitation; it was only intended to assess controls around financial reporting.  In 2011, the SAS 70 became obsolete.  The AICPA released new guidance that provides options for a service organization to obtain an independent opinion on internal controls that are not limited to financial reporting.  A service organization is defined as an organization that performs a task or function for other entities.  There are many examples of service organizations; some familiar ones include payroll processors, insurance claims processors, and hosted data centers.

Any service organization control report (SOC) covering a time period after June 15, 2011 is now required to follow the Statement on Standards for Attestation and Engagements Number 16 (SSAE 16).  The SSAE 16 standard provides an expanded menu of options for a service organization to choose from.  SSAE 16 provides options to cover other areas of control such as privacy, confidentiality, security, and other areas.  These additional reporting options are extremely important to businesses who rely on service organizations and who are required to comply with regulatory standards such as the Health Information Privacy and Accountability Act (HIPAA) or Gramm-Leach-Bliley (GLB).  However, even if you are not required to comply with any specific regulatory standards for privacy or security, a SOC report can be very useful in evaluating and managing a service organization that you have entrusted with your critical information.

For more information on the types of SOC reports available,
stay tuned for parts 2 and 3:

Service Organization Control (SOC) Reports – Part 2
    SSAE 16 – SOC 1 Reports Defined (May 2, 2012)

Service Organization Control (SOC) Reports – Part 3
    SSAE 16 – SOC 2 and SOC 3 Reports Defined (May 9, 2012)

For additional information on SOC Reporting, please visit: DDAF SOC Reporting or contact Jason Miller at jmiller@ddaftech.com or 859.425.7626.

Follow our lead on the path to success!

The expertise of the DDAF College and University team combined with our commitment to client service makes us uniquely qualified to help you survive and thrive in today’s challenging economic environment.

Our team is all packed up and headed to the annual Southern Association of College and University Business Officers (SACUBO) meeting in Louisville this coming week, April 22 – 24. Let us know which conference speakers and sessions are most compelling and meet members of our College and University team. Crissy Fiscus, David Richard, and Lance Mann will all be on-site, eager to meet you and answer any questions.

Be sure to stop by the DDAF booth (#211) in the exhibit hall to register for your chance to win a BRAND NEW Kindle Fire!

State and Local Government Accounting Webcast on April 24

On April 24 at noon EDT, McGladrey & Pullen, LLP will present its Annual State and Local Government Accounting Update. During this one-hour complimentary webcast, McGladrey partner and regional public sector practice leader Michelle Horaney will present the most up-to-date information on the changing world of government accounting standards. The seminar will provide insight into recent accounting and reporting developments and issues impacting state and local governments, including public schools and city and county municipalities. Topics to be discussed include: 

• What to expect this year   
• Updates regarding key developments, including Governmental Accounting Standards Board Statement No. 57, OPEB Measurements by Agent Employers and Agent Multiple-Employer Plans, and Statement No. 64, Derivative Instruments: Application of Hedge Accounting Termination Provisions (an amendment of GASB Statement No. 53)
• How to prepare for year-end financial statements
• What to start planning for now
• Standards that have been recently issued with future effective dates

CLICK HERE to register.

We are proud to offer great services like this through our alliance with McGladrey and hope you will take advantage of this unique opportunity to learn from the best. If you have any questions concerning the event, please do not hesitate to contact Travis Thomas by e-mail tthomas@ddafcpa.com or by phone 502.566.1072.

Information security should on the forefront of everyone’s mind in this fast-paced and constantly changing age of technology.  Are you doing enough to protect critical information that customers, employees, patients, students, or any other entity entrusts into your care?  In today’s world, there are countless voices offering guidance on how to best secure critical information.  Below are four security compliance standards that are meant to protect us:

HIPAA – Health Information Privacy and Accountability Act (HIPAA) Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information.  The HIPAA Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.

GLB – Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services to explain their information-sharing practices to their customers and to safeguard sensitive data.

Red Flag Rule requires “financial institutions” and “creditors” that hold consumer accounts designed to permit multiple payments or transactions — or any other account for which there is a reasonably foreseeable risk of identity theft — to develop and implement an Identity Theft Prevention Program for new and existing accounts.

PCI DSS – Payment Card Industry – Data Security Standards provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data.

Despite these standards, most organizations only do a fraction of what they should to properly safe-guard the sensitive information that others have entrusted to their care.  While running the core functions of a business, it can be easy to forget how important information security is for the good of the company.    These areas of compliance are often seen as additional hurdles that are expensive and time consuming.  We often hear excuses such as:

“Our budgets don’t allow for the items that are truly needed to comply”

“Our business is too small. A thief/hacker wouldn’t waste their time on us; they would focus their time and energy on a larger company with a bigger payout”

While there may be some truth to those comments, we see examples every day that contradict them.  Information security risks are a reality for all of us whether we are large or small, simple or complex.  Information security risks are not just the responsibility of the Information Technology (IT) department.  Information security is a responsibility of management and every employee.  A good Information security program includes management involvement and oversight, as well as a good employee Information security education program.  It doesn’t just cover the IT systems since information can be electronic or physical.  This is an area we often lose sight of and expect that IT will handle Information Security.

Just last week we saw examples of both extremes.   The first involved a large, publicly traded credit card processor company that had a technology breech potentially putting over 10 million card holders’ information in jeopardy.  The second example involved a small regional hospital who had a nurse’s aide taking patient information and using it to apply for credit.  The aide is believed to have accessed to up to 200 patients’ information.  This incident was not the work of a technology hacker, just a normal employee supposedly doing their job.

While many of the regulatory and guidance areas listed above allow for civil, criminal, or financial penalties for negligence in protecting information, there is likely a greater potential loss to your organization associated with the negative publicity that comes with a breech like those described above.  What would it cost your organization to have a negative news story about the harm caused to your constituents due to your negligence?  A good reputation is hard to achieve.  A negative reputation could be impossible to recover from.  Are you being responsible with the information that has been entrusted to your organization?

For more information on Information Security Compliance at your organization, please contact our Director of Technology Consulting, Jason Miller at jmiller@ddaftech.com or (859) 425-7626.

For more information, click here for a full copy of the report.  If you have questions or would like to meet with one of our manufacturing team members, please contact Mike Harbold at mharbold@ddafcpa.com.

For more information please contact Lance Mann (lmann@ddafcpa.com).

When President Barrack Obama signed into law the Patient Protection and Affordable Care Act (“PPACA”) on March 23, 2010, additional requirements were imposed on hospitals seeking to obtain or maintain charitable tax-exempt status as defined under Section 501 of the Internal Revenue Code of 1986.  One of the four requirements is the completion of a community health needs assessment (CHNA).  The CHNA requirements are not effective until tax years beginning after March 23, 2012, but most exempt hospitals have already begun the process of planning for and conducting CHNAs.

Hospital organizations that are required to meet the CHNA requirement.

• “State-licensed” hospital facilities are subject to the CHNA requirement.
• Organizations operating a hospital facility through a disregarded entity, joint venture, LLC, or other entity taxed as a partnership are subject to the CHNA requirement.
• Hospital organizations that operate multiple hospital facilities are required to document separately the CHNA and implementation strategy for each hospital facility, although the facilities may collaborate in meeting these requirements.

Documentation of a CHNA.  A hospital must document a CHNA in a written report that includes:

• A description of the community served by the facility and how the “community” was determined.
• A description of the process and methods used to conduct the CHNA, including sources and dates of data, analytical methods used, information gaps, collaborating organizations, and the identity and qualifications of third parties contracted with to assist in conducting the CHNA.
• A description of how the hospital considered input from persons representing the broad interests of the community served by the facility, including information on individuals and organizations that provided input.
• A prioritized description of all needs identified and a description of the process and criteria used in prioritizing the needs.
• A description of the existing healthcare resources in the community available to meet the CHNs identified in the CHNA.

How and when a CHNA is “conducted”.

• A CHNA is considered “conducted” in the year the written report is made widely available to the public.
• A CHNA is considered “conducted” only if it identifies and assesses the health needs of, and takes into account input from persons representing the broad interests of, the community served by the facility.

Community served by a hospital facility.  

• IRS intends to permit a hospital facility to take into account all of the relevant facts in defining the “community” served by the facility.  
• IRS generally expects a geographic description, but understands that it may include target populations.  
• The community may not be defined to exclude, e.g., medically underserved populations, low-income persons, minority groups, or those with chronic disease.  
• IRS is requesting comments on various geographic definitions of community – e.g., MSA.

Persons representing the broad interests of the community.  

• At a minimum, input from the following must be considered in the CHNA:  persons with expertise in public health; governmental entities with data relevant to community health needs; and representatives of medically underserved, low-income, chronic-disease, and minority populations. 

Making a CHNA widely available to the public.  The CHNA will be considered made widely available to the public if it is posted on the facility’s website.

Implementation strategy.  

• Each hospital facility must adopt an implementation strategy based on the CHNA.  
• The strategy must be written and address each need identified in the CHNA by either describing how the facility plans to meet the health need or identifying the health need as one the hospital facility does not intend to meet and explaining why the facility does not intend to meet the need.  
• The strategy should take into account the specific programs, resources, and priorities of the facility.  
• The strategy should describe any planned collaboration with other organizations.  
• The implementation strategy must be attached to the organization’s Form 990.

  How and when an implementation strategy is adopted.  

• The implementation strategy will be considered adopted on the date it is approved by an authorized governing body of the hospital.  
• The strategy must generally be adopted by the end of the same tax year in which the CHNA is conducted, although IRS requests comments on circumstances under which a facility should be provided additional time for adoption of the strategy as a transitional rule. 

Excise tax on failure to meet the CHNA requirements.  The $50,000 excise tax for failure to meet the CHNA requirements in a 3-year period will be assessed on a facility-by-facility basis and for each year of failure. 

For more information please contact Adam Shewmaker (ashewmaker@ddafhealthcare.com).